Speaker reveals flaws in web browser security


Photo Credit: Karen Pinilla | Daily Texan Staff

Private browsing may not be so private after all.

Hovav Shacham, associate professor in computer science and engineering at the University of California San Diego, gave a talk Tuesday at the Gates Dell Complex about threats to user privacy in web browsers.

According to Shacham, while most browsers have protections in place for the user’s computer, they do not have similar protections for the user’s privacy. He said browsers such as Safari, Firefox, and Chrome can be exploited to track and identify web users, and that this problem will be difficult to fix.

“We will continue to have privacy violations under the current browser model,” Shacham said. “(Developers of browsers) apply the quickest and smallest possible fixes as bugs are found, which is very unlikely to ever yield a system that meaningfully protects privacy.”

Traditionally, cookies have been used as tracking mechanisms for advertisers. However, Shacham said that the web is full of less-obvious tracking mechanisms. One previously popular method was known as history sniffing. Websites ask your browser how different elements on a page are styled, including the color of links, which indicate a user’s browsing history. According to a paper by security consultant Paul Stone, malicious sites can check thousands of URLs per second in order to create a profile of the user.

“(History sniffing) is very effective, even to the point of identifying users based on whose social media profiles they view,” Shacham said. “Even after it was proved possible, no one knew if it was happening in the wild because it’s completely silent. It happens in the background.”

Shacham said that modern browsers have made it harder for sites to use this technique, but that other options for identifying users still exist. He added that websites can also ask the browser what was drawn on the screen, and since graphic processing units run slightly different on various computers, the differences in the pixels drawn help identify users, even across different browsers.

Additionally, in 2013 researchers at Carnegie Mellon described a technique called pixel stealing that allows malicious websites to read pixels from a different site. Through pixel stealing, websites can determine whether or not a user has an account with a particular site, along with other personal data. This data could be used to target advertising toward users who have accounts with certain sites.

Shacham said that these security flaws will probably not be fixed quickly.

“We have reported all of these bugs,” Shacham said. “But we haven’t convinced any browsers to deal with canvas fingerprinting, except for Tor. Mozilla is working on pixel stealing. I had to call in a personal favor at Apple just to get them to respond, acknowledging that they received the bug report.”

Shacham said that designing systems without security in mind makes it easier to create new things, but that programming the application right in the first place is easier than trying to patch mistakes as they are discovered.  

“As a computer scientist, users all over the world have entrusted their lives to us,” Shacham said. “I like to think we can do better with their security than where we are now. I want to repay their trust. I want to merit that trust.”